[syslog-ng] Syslog destination time/folder issues
Scheidler, Balázs
balazs.scheidler at balabit.com
Wed Nov 23 18:24:24 UTC 2016
Yes, an incorrectly parsed month is considered -1, thus it underflows back
into the last year.
Wrt testing, if you can just deploy syslog-ng, that'd be great.
On Nov 23, 2016 08:54, "Marco Mignone" <info at marcomignone.com> wrote:
Hi Bazsi,
Thanks for the info.
Do you think that can affect also the ‘year’ behaviour?
I would love to provide some help testing this... but I am not good at it :(
Thanks for the explanation and for pointing at the mod.
Regards,
Marco
On 22 Nov 2016, at 23:41, Balazs Scheidler <bazsi77 at gmail.com> wrote:
The issue is that syslog-ng only processes mixed case month names, e.g.
"Nov" instead of "NOV"
This pull request contains the as-of-now unmerged fix:
https://github.com/balabit/syslog-ng/pull/1263
Any testing is absolutely welcome.
On Tue, Nov 22, 2016 at 12:30 PM, Marco Mignone <info at marcomignone.com>
wrote:
> Hi All,
> I am experiencing a weird problem with Syslog-NG 3.8.1 on Ubuntu 14.04
>
> When syslog receives syslog messages from couple of specific nodes it
> saves it on a destination folder as per the config below:
>
> source s_rohnet {
> network(
> transport("udp")
> );
> };
>
> destination d_rohnet_switches {
> file("/var/log/ROHNetwork/${YEAR}.${WEEK}/${HOST}.log" create-dirs(yes)
> dir-owner("rohadmin"));
> };
>
>
> The devices are NTP synchronised and the date output is correct on the
> Ubuntu server:
>
> >date
>
> Tue Nov 22 11:21:14 GMT 2016
>
> Beside these the log folders created where the files gets stored are:
> */2015.51*/192.168.33.8.log (it should be /*2016.47*/).
>
> This is happening only for two nodes while all the rest seems to work fine.
>
> I have captured some network traffic and the message received by syslog-ng
> on the network card seems also correct as per Wireshark output:
>
> Syslog message: LOCAL6.NOTICE: NOV 22 10:31:23 192.168.33.8-1
> CMDLOGGER[165319912]: cmd_logger_api.c(83) 13518 %% CLI:192.168.32.100:root:User
> logged in
>
> This is a Dell switch and I am opening a case with them but I would like
> to know where else I should check for configuration errors.
>
> Syslog config is exactly the one reported above.
>
> Any idea of what I could check for further troubleshooting on the Syslog
> side?
>
> Thanks,
> Marco
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=
> syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
--
Bazsi
____________________________________________________________
__________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?
product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
____________________________________________________________
__________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?
product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20161123/6e98d2bf/attachment.html>
More information about the syslog-ng
mailing list